| From jejb@kernel.org Tue Nov 4 11:44:30 2008 |
| From: Johannes Berg <johannes@sipsolutions.net> |
| Date: Sun, 2 Nov 2008 19:30:21 GMT |
| Subject: libertas: fix buffer overrun |
| To: jejb@kernel.org, stable@kernel.org |
| Message-ID: <200811021930.mA2JULX5009457@hera.kernel.org> |
| |
| From: Johannes Berg <johannes@sipsolutions.net> |
| |
| commit 48735d8d8bd701b1e0cd3d49c21e5e385ddcb077 upstream |
| |
| If somebody sends an invalid beacon/probe response, that can trash the |
| whole BSS descriptor. The descriptor is, luckily, large enough so that |
| it cannot scribble past the end of it; it's well above 400 bytes long. |
| |
| Signed-off-by: Johannes Berg <johannes@sipsolutions.net> |
| Signed-off-by: John W. Linville <linville@tuxdriver.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| drivers/net/wireless/libertas/scan.c | 4 ++-- |
| 1 file changed, 2 insertions(+), 2 deletions(-) |
| |
| --- a/drivers/net/wireless/libertas/scan.c |
| +++ b/drivers/net/wireless/libertas/scan.c |
| @@ -598,8 +598,8 @@ static int lbs_process_bss(struct bss_de |
| |
| switch (elem->id) { |
| case MFIE_TYPE_SSID: |
| - bss->ssid_len = elem->len; |
| - memcpy(bss->ssid, elem->data, elem->len); |
| + bss->ssid_len = min_t(int, 32, elem->len); |
| + memcpy(bss->ssid, elem->data, bss->ssid_len); |
| lbs_deb_scan("got SSID IE: '%s', len %u\n", |
| escape_essid(bss->ssid, bss->ssid_len), |
| bss->ssid_len); |